Jump to content

Fabian Wosar

Emsisoft Employee
  • Posts

  • Joined

  • Days Won


Everything posted by Fabian Wosar

  1. Published a new version ( that should fix the crash. If it doesn't, please let me know.
  2. None of the products tested by AV Comparatives are downright bad. In fact, AV Comparatives requires every participant to be "good" to even be considered for participation. So it is not surprising that there aren't any drastic difference between the products. User dependent detections are all detections where the user is given the theoretical opportunity to pick the wrong option and gets himself infected. They ignore recommendations in those alerts completely. So even if there is a clear recommendation to quarantine, it is counted as user dependent. As a result a lot of AVs adopted a "better to ask for forgiveness than permission" approach to alerts and will blindly quarantine everything first and give the option to restore from quarantine later than to ask the user what he wants to do first like we do. You can configure EAM to use the same approach by adjusting the File Guard settings to "Quarantine with notification" and the Behaviour Blocker to "Use the recommended option" automatically.
  3. Im Endeffekt brachte der Test uns keinen Nutzen was den Umsatz anging. Entsprechend haben wir uns dazu entschlossen nicht laenger teilzunehmen. Das mag sich irgendwann wieder aendern.
  4. In general if you have a backup, I would restore it. After the server has been compromised, it is probably best to reinstall it. You never know what they did to the system and there are lots of very subtle backdoors they may have placed on the system. Better to be safe than sorry.
  5. UIWIX is a variation of the Cry/Nemesis ransomware. We are currently looking into it.
  6. If the shadow copies have been removed, there is, unfortunately, nothing we can do for you. Sorry.
  7. There isn't. I have been sick for the past week so it was put off until I got better. I have almost recovered though and will probably look into the new version on Sunday.
  8. As a general note: File system filter drivers, which are the base for every on-access scanner, are organised in layers. Each driver is located at a certain altitude, which is assigned by Microsoft. The current assignment can be seen here: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes This means, all requests pass through all layers in a fixed order and are only passed on further if the filter allows it. The moment a driver decides to block the access (which is the case here with ESET blocking access to the malware file), drivers above or below that driver will not see the request and therefore won't scan the file. This is working as intended. Also keep in mind that the defaults of ESET and Emsisoft differ. By default, we only scan files when they are written to or executed, while ESET also scans when a file is merely opened for reading. You can set the EAM File Guard to "Thorough" to get the same behaviour.
  9. Betrifft letztlich nur die x64 Version von Office. Die ist bei unseren Testsystemen nicht dabei, da die meisten User die 32 bit Version verwenden auf 64 bit Systemen, da viele Plugins und Addins nur 32 bit unterstuetzen. Die Office Exploit Mitigations im Behaviour Blocker waren da ein wenig zu uebereifrig beim Filtern von bestimmten Aktionen, die dann den Crash verursachen.
  10. Du kannst derzeit einfach Deine Office Anwendungen ausnehmen. Ansonsten wird es den Fix wahrscheinlich im 2017.5 Update geben am Ende des Monats/Anfang des naechsten Monats.
  11. Wir haben das Problem zwischenzeitlich lokalisiert und es wird in dem naechsten Update behoben. Die Beta Version des Updates sollte innerhalb der naechsten Woche rausgehen.
  12. Can you send the decrypter executables that you got from the crooks?
  13. Wir versuchen das Problem derzeit intern zu reproduzieren. Derweil sollte es ausreichen Word in den Ausnahmen hinzuzufuegen.
  14. Ohne den Dump ist der Log leider relativ nutzlos. Nur basierend auf dem Log scheint das Problem in combase.dll zu existieren, womit wir allerdings wenig am Hut haben.
  15. Ich bezweifle das fehlendes DEP beim Uninstaller ein ernstzunehmendes Problem ist. Aber ja, ist bereits vor einigen Wochen behoben worden.
  16. Kannst Du bitte eine verschluesselte Datei und die Erpressernotiz bei id-ransomware.malwarehunterteam.com hochladen und die Adresse der Ergebnisseite hier posten? Danke.
  17. Email is: [email protected] Salt is: Wosar is watching porn on the college. Put both into the decrypter, then hit the calculate button to generate the ID and try to decrypt your files
  18. The salt should be: The researcher is opening xvideos in New York.
  19. OP didn't even post a question, so how and what exactly should I answer to? It's just another "next-gen" AV reseller that creates little videos to scare everyone to jump onto the next-gen train and increase their profit. We never cared for POC malware. Lots of things are possible and if anyone cared to, they could produce dozens, maybe even hundreds of bypass videos every day for every single product out there.
  20. If you are concerned about PowerShell: Uninstall it. Most people don't need it anyway. It's one less infection vector to worry about.
  21. Version updates happen automatically. However, we don't update the uninstall entry which always refers to the version you installed. You can view the version number by clicking on the "EMSISOFT" on the top left. You can also display the version number permanently on the user interface by hovering over the "Renew" link in the License block. An X should appear to remove the link from the UI and make room for the version number.
  • Create New...